I claim: 



■App- ara mrs for carTytrrg — r mnm inn ' i ^at-j nric — o ver ja r 
multi-tier virtual private network, said network incKtding 
a server and a plurality of client computers -x€he server 
and client computers each including means^for transmitting 
data to and receiving data frojnr an open network, 
comprising: y< 

means for intercepting faction calls and requests for 
service sent by an applications program on one of said 
client computers to ya lower level set of communications 
drivers; and / 

means for/causing an applications level authentication 
and encryption program in said one of said client computers 
to communacate with the server, generate said session key, 
and encrypt files sent by the applications program before 
•fe3?a««mitta1r^-©veT — s^ia^opefi--fre j fewQiJ^r-" 

2. Apparatus as claimed in cl^im 1, further comprising 
means for intercepting files packaged by a transport driver 
interface layer to form packexisW and encrypting the packets 
using a session key generated/fluring communications with a 
lower layer of the server. // \. 

3. A method as claimeW-in claim 1, further comprising 
means for intercepting a destination address during 

initialization of communications between said one of said 



client computers and a second of said client coipputers on 
said virtual private network; 

means for causing said applications level 
authentication and encryption program to/communicate with 
the server to carry out functions a.) >and b* ) ; 

means for transmitting said destination address to 
said server; 

means for causing said se/ver to carry-out functions 
a.) and b. ) with respefct\tq/che second of said two client 
computers ; 

means for enabling/ sd^ld second of/said two client 

:he session key^ 
means for cautfina sai\d authentication software to 
encrypt files to pe sent\ to \the destination address using 
the session key/ and 

means for/ transmitting the encrypted files directly to 
the destinat/ion address. 



computers to recreate 



4 . Apparatus as claimed in claim 3 , wherein said means 
for intercepting the destination address is carried out by 
a srixm positioned between a peer-to-peer applications 
program and a layer of a communications driver architecture 
>f said one of the two client computers. 



H 



A multi-tier virtual private network, comprising: 
a server and a plurality of client computers, the 
server and client computers each including means for 
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transmitting data to and receiving data from an open 
network , 

wherein said means for transmitting data to and 
receiving data from the open network includes , in any 
client computer initiating communications with the server: 
applications level encryption and 
authentication software arranged to communicate 
with the server in order to: a.) mutually 
authenticate the server and the client computer 
initiating communications with the server and b.) 
generate a session key for use by the client 
computer initiating communications to encrypt 
files ; 

at least one lower level set of 
communications drivers ; 

and a shim arranged to intercept function 
calls and requests for service sent by an 
applications program to the lower level set of 
communications drivers in order to cause the 
applications level authentication and encryption 
program to communicate with the server , generate 
said session key, and encrypt files sent by the 
applications program before transmittal over said 
open network . 

3, 

p. A multi-tier virtual private network as claimed in 
claim wherein said lower level set of communications 
drivers includes a network driver layer, a transport driver 



interface layer arranged to package applications files as 
packets capable of being routed over the open network and 
supply the packets to the network driver layer for 
transmission to the open network, and an applications 
socket for facilitating service requests by said 
applications program to the transport driver interface 
layer, and wherein said shim is a socket shim positioned 
between the applications program and the socket to 
intercept function calls to the socket in order to cause 
the applications level authentication and encryption 
program to communicate with the server, generate said 
session key, and encrypt files sent by the applications 
program before the files are packaged b>T~~~t1ie^trar^sport 
driver interface layer. 



7. A multi-tier virtual private network as claimed 
claim 6, wherein said applications program is a pje^r-to- 
peer communications program, and wherein a peer^pplication 
destination address, includ^d^in s^ici fundpixm calls to the 
socket, is diverted by /the socken^^nim and wherein a 
destination address including said ^intercepted function 
calls is supplied to thja server durinc/Vommunications with 
the server, causin 
communications link with a pee 
authenticate the jar&er \ applicati 
application to /reconstr 




ce to — es j fcaWTish a 
application , mutually 
and enable the peer 
the /session key in order to 



receive enprrypted files sent by the peer-to-peer 
communications program over the open network. 
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8. A multi-tier virtual private network as ^claimed in 
claim 6, further including a transport driver interface 
shim positioned between the transport driver interface 
layer and a second applications program, vfor intercepting 
requests from the second applications program for service 
by the transport driver interface laye£ in order to cause 
the applications level authentication and encryption 
program to communicate with the server, generate said 
session key, and encrypt files s^nt by the applications 
program before the f ±lp^ are "^p^kafged by the transport 
driver interface layei 



virtual pr* 



network as claimed in 
ork d^iv^f^layer shim 



9 . A multi-tier 

claim 8, further Comprising / a /nel 

positioned betweeA the nrftwc/rk driver layer and the 
transport driver in\erf ace/layer and arranged to intercept 
files packaged by the ^a/is^port driver interface layer and 
encrypt the files using a session key generated during 
communications with a lower layer of the server. 



10. A multi-tier mrtual private network as claimed in 
claim 5, wherein ssaid lower level set of communications 
drivers includes /a network driver layer , and a transport 
driver interface layer arranged to package applications 
files as packets capable of being routed over the open 
network and supply the packets to the network driver layer 
for transmission to the open network, and wherein said shim 
is a transport driver interface layer shim positioned 
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between the applications program and the transport driver 
interface layer to intercept service requests by the 
applications program to the transport driver interface 
layer in order to cause the applications level 
authentication and encryption program to communicate with 
the server, generate said session key/ and encrypt files 
sent by the applications program before the files are 
packaged by the transport driver interface layer. 



11. A multi-tier virtual 
claim 10, wherein said 
peer communications prog 
destination address, in 
for service, is diverted by 
layer shim and supplied 
with the server, caus 
communications link with 
authenticate the peer app 
application to reconstruc 
receive encrypted fil 
communications program oirer 



private/ network as claimed in 
app^l^fcatio^s program is a peer-to- 



luded in/ saic 



the/ trc 



the 



m, and herein a peer application 
intercepted requests 
interface 

fco the /server during communications 
service to establish a 
eer application, mutually 
ication, and enable the peer 
the session key in order to 
sent by the peer-to-peer 
the open network. 



12 . A multi-tier virtual private network as claimed in 
claim 10, further comprising a network driver layer shim 
positioned between /the network driver layer and the 
transport driver interface layer and arranged to intercept 
files packaged by ythe transport driver interface layer and 



37 



encrypt the files using a session key generated during 
communications with a lower layer of /the server. 



13. A multi-tier virtual private ryetwork, comprising: 

a server and a plurality of client computers , the 
server and client computers each including means for 
transmitting data to and receiving data from an open 
network, / 

wherein said means for / transmitting data to and 
receiving data from the open network includes , in any 
client computer initiating communications with the server: 
applicat/ions leVell encryption and 
authentication software arranged to communicate 
with the server in irde r tp ^a. ) mutually 
authenticate the server and the client computer 
initiating cq^unicatzions with the server and b.) 
generate a sesfcien key for use by the client 
computer initiating communications to encrypt 
files; and / 

at least one lower level set of 
communications drivers , 

wherein / said lower level set of 
communications drivers includes a network driver 
layer , a /transport driver interface layer 
arranged to package applications files as packets 
capable ofl being routed over the open network and 
supply the packets to the network driver layer 
for transmission to the open network , and a 
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network driver layer shim positioned between the 
transport driver interface layer and the network 
driver layer and arranged /to intercept files 
packaged by the transport driver interface layer 
and encrypt the files using a session key 
generated during communications with a lower 
layer of the server. 



14. A multi-tier virtual private network, comprising: 

a server and a zJlural\ty] of client computers, the 



server and client /computers each including means for 



transmitting data 
network, 

wherein said 




o ana receiving data from an open 



means 



fOI 



transmitting data to and 



receiving data from\ the pfcen network includes , in any 
client computer initialing communications with the server: 
application^ level encryption and 
authentication Software arranged to communicate 
with the server in order to: a.) mutually 
authenticate tfhe server and the client computer 
initiating communications with the server and b.) 
generate a session key for use by the client 
computer initiating communications to encrypt 
files; and/ 

further Comprising means for securing peer-to-peer 
communications between applications on two of said client 
computers, s^id peer-to-peer communications securing means 
comprising: 
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means for intercepting a destination address 
during initialization of communications by a 
first of said two client computers; 

means for causing sjkid authentication 
software to communicate witt/ the server to carry 
out functions a.) and b.); 

means for transmitting said destination 
address to said server; 

means for causing skid server to carry-out 
functions a.) and b. ) wi£h respect to the second 
of said two client compiuters; 

means for enabling saa\d 
client computer/ to recreate 
means fgrr casing 



software to 
destination alddress 

means fo 
directly to th 



encrypt/ files 



using 



jsecond of said two 
he session key; 
sfflfid authentication 
o be sent to the 
he session key; 



transmitting the encrypted files 
tin^tion address. 



15. A multi-tier virtual private network as claimed in 
claim 14, wherein /said means for intercepting the 
destination address comprises a shim positioned between the 
peer-to-peer applications program and a layer of a 
communications driver architecture of said first of the two 
client computers . 



16, A multi-tier virtual private network as claimed in 
claim 5, wherein said shim is positioned above a socket f 
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the socket being positioned above a transport, driver layer 
of said communications driKreil arcjMrEectur e . 




17. A multi-tier virtual private network as claimed in 
claim 5, whgj^Tn said shimN^ positioned above a transport 
Sif layer of said communications driver architecture. 




Computet— -&e£twai?e — £o&- — inst allation — en — a — c - liop€ ■ 

computer of a multi-tier virtual private network, ^/said 
network including a server and a plurality or client 
computers f the server and client computers ea<fh including 
means for transmitting data to and receiv^rng data from an 
open network, / 

wherein said computer sof tware/ancludes : 

applications level / encryption and 
authentication software arranged to communicate 
with the server in order to: a. ) mutually 
authenticate the server and the client computer 
initiating communications with the server and b.) 
generate a session key for use by the client 
computer initiating communications to encrypt 
files; / 

and a >6him arranged to intercept function 
calls and/ requests for service sent by an 
applications program to a lower level set of 
communications drivers in order to cause the 
applications level authentication and encryption 
-program to commmrxcate With the server, giiiie^te^ 
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<s*riz^&e&s-±oii key, and encrypt files sent bj 
applications program bef ore^x^R-slfflttal over said 

Computer software as claimed in claim LlS f wherein said 
lower level set of communications drivers includes a 
network driver layer, a transport driver interface layer 
arranged to package applications files as packets capable 
of being routed over the open network and supply the 
packets to the network driver layer for transmission to the 
open network, and an applications socket for facilitating 
service requests by said applications program to the 
transport driver interface layer, and wherein said shim is 
a socket shim positioned between the applications program 
and the socket to intercept function calls to the socket in 
order to cause the applications level authentication and 
encryption program to communicate with the server, generate 
said session key, and encrypt files sent by the 
applications program before the files are packaged by the 
transport driver interface layer. 



20. Computer software as\cla 



applications program is 
program, and [wherein 
address, included in s< 
diverted by the 
address including/ said 
supplied to the/ server 



d in claim 19, wherein said 
peer-to-peer communications 
pjfeej/^ application destination 
fction cans tothe socket, is 
shim and wherein a destination 
intercepted function calls is 
during communications with the 
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server, causing the service to establish a communications 
link with a peer application, mutually authenticate the 
peer application, and enable the peer /application to 
reconstruct the session key in order to/receive encrypted 
files sent by the peer-to-peer communications program over 
the open network. 



: driver 



21. Computer software 
including a transpor 
between the transport 
applications program, 
second applications program 
driver interface lay 



claimed in claim 19, further 
interface shim positioned 
driv6t interf ace/layer and a second 



:ing requests from the 
for service by the transport 
:der to cause the applications 
level authentication and encryption program to communicate 
with the server, generate said session key, and encrypt 
files sent by ther applications program before the files are 
packaged by ther transport driver interface layer. 



22. Computer software as claimed in claim 21, further 
comprising/ a network driver layer shim positioned between 
the netwc/rk driver layer and the transport driver interface 
layer And arranged to intercept files packaged by the 
transport driver interface layer and encrypt the files 
usi/lg a session key generated during communications with a 
Swer layer of the server. 

Computer software as claimed in claim J^, wherein said 
lower level set of communications drivers includes a 



network driver layer, and a transport driver interface 
layer arranged to package applications files as packets 
capable of being routed over the open network and supply 
the packets to the network driver layer for transmission to 
the open network, and wherein said shim is a transport 
driver interface layer shim positioned between the 
applications program and the transport driver interface 
layer to intercept service requests by the applications 
program to the transport driver interface layer in order to 
cause the applications level authentication and encryption 
program to communicate with the server, generate said 
session key, and encrypt files sent by the applications 
program before the files are packaged by the transport 
driver interface layer. 



24. Computer software as claimed in claim 23 , wherein sj 
applications program is a peer-to-peer compulilcations 
program, and wherein a peer application destination 



address, included in said Ante\ 
is diverted by the transport 
and supplied to the serj\ 
server, causing the si 



cep. 



requests for service, 
i/ver interface layer shim 
'g communications with the 
establish a communications 
y authenticate the 



vice 

link with a peer/applf cation, 

peer application, and \enable the peer application to 
reconstruct^ the session key in order to receive encrypted 
files s^nt by the peer-to-peer communications program over 
the pben network. 
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25- Computer software as claimed in claim 23 , further 
comprising a network driver layer shim positioned between 
the network driver layer and the transport driver interface 
layer and arranged to intercept files packaged by the 
transport driver interface layer / and encrypt the files 
using a session key generated duriyng communications with a 
lower layer of the server. 



s y 
| U 



26. Computer software for NUistalJjation on a client 
computer of a multi-tier virtfu^al private network, said 
network including/ a server andVa 
computers, the server and cli/ent/c\ 



plurality of client 
iters each including 



means for transmitting data po ^nd ^epeivingciat^-~-from an 
open network, 

wherein said Computer Software includes: 

applications |6vel encryption and 
authentication software arranged to communicate 
with the server in / order to: a.) mutually 
authenticate the serfver and the client computer 
initiating communications with the server and b.) 
generate a session/ key for use by the client 
computer initiating communications to encrypt 
files; and 

at least (one lower level set of 
communications drivers , 

wherein skid lower level set of 
communications dtivers includes a network driver 
layer, a transport driver interface layer 
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arranged to package applications f i/les as packets 
capable of being routed over the open network and 
supply the packets to the network driver layer 
for transmission to the open/ network , and a 
network driver layer shim positioned between the 
transport driver interface layer and the network 
driver layer and arranged fto intercept files 
packaged by the transport driver interface layer 
and encrypt the files i/sing a session key 
generated during coaimunljpat^ons with a lower 
layer of the serveir. 



27. Computer software foi 
computer of a multi-pier 
network including a 
computers, the server 



fclallation on /a client 
private^etwork , said 
and a plurality of client 
^ient computers each including 



means for transmitting dyata to and receiving data from an 
open network, 

wherein said computer software includes: 
applications level encryption and authentication software 
arranged to communicate with the server in order to: a.) 
mutually authenticate the server and the client computer 
initiating communications with the server and b. ) generate 
a session key for use by the client computer initiating 
communications to encrypt files; and 

further comprising means for securing peer-to-peer 
communications between applications on two of said client 
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computers, said peer-to-peer communications securing means 
comprising : 

means for intercepting a destination address 
during initialization 6f communications by a 
first of said two client computers; 

means for causing said authentication 
software to communicatee with the server to carry 
out functions a.) ancy b.); 

means for transmitting said destination 
address to^a<d seyjrer; 

mea/is for <Xau$ing said server to carry-out 
functions a.) andYb.l) with respect to the second 
of saifr two client \computers ; 

\]±nq said second of said two 
client computer^ to recreate^tfie session key; 

means tot / causing said authentication 
softwalre to eWcrvpt files to be sent to the 
destination ^Adress using the session key; 




means fcfr transmitting the encrypted files 
directly to che destination address. 



28. Computer software as claimed in claim 27 , wherein said 
means for intercepting the destination address comprises a 
shim positioned between the peer-to-peer applications 
program and a layer of a communications driver architecture 
of said first /of the two client computers. 
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29. Computer software as claimed ixi claim 2 7 , wherein said 
shim is positioned aboy£ a J pocket, the socket being 
positioned above a yransptpft driver layer of said 
communications driver 




30, Computer softwar^ ^s chimed in claim 27, wherein said 
shim is positioned apfoveTa transport driver layer of said 
communications driyer architecture. 

I-* A meth -etT^of cagry ing out commx i n i ,ga^j.oftS" uve i 

tier virtual private network, said network inclixdinq a 
server and a plurality of client computers ,Jzfie server and 
client computers each including means tor transmitting data 
to and receiving data from an open^/rfetwork, comprising the 
steps of; 

intercepting f unction/6alls and requests for service 
sent by an applications program in one of said client 
computers to a lowe^ level set of communications drivers; 

causing an/ applications level authentication and 
encryption program said one of said client computers to 
communicate with the server, generate said session key, and 
encrypt/^ files sent by the applications program before 
tr a nsmittal nvp i r said^Qp e fe^et wo rk '.'^ 

32. A method as claime<r\Lr/ claim 31, further comprising 
the step of intercep/cing]7f iles packaged by a transport 
driver interface layer y^d/\f orm packets and encrypting the 




packets using a session key generated during communications 
with a lower layer of the server, 



ill 



33. A method as claimed in claim 31, further comprising 
the step of intercepting a destination address during 
initialization of communications between said one of said 
client computers and a second of said client computers on 
said virtual private networly; 

causing said / applications level 
authentication and / encryption program to 
communicate with tjie server to carry out 

ftting s£a\id destination address to 



'ing said /server 



resi 



to carry 



to. 



-ou£^f unctions 
e second of said 



Lers 



a. ) and 
two clieri 

enabUinq skiA second of said two client 
computers tb— recreate the session key; 

causing ^aid authentication software to 
encrypt files/ to be sent to the destination 
address using/ the session key; and 

transmitting the encrypted files directly to 
the destination address. 



34. A method as claimed in claim 33 r wherein said step of 
intercepting the destination address is carried out by a 
shim positioned between a peer-to-peer applications program 
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and a layer of a commuriicauibns driver architecture of said 
one of the two client/ computelrs . 
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